Microsoft Word 0-Day Exploit – and the State Sponsored Hacktivism Behind It

Zero-day vulnerability is a flaw that hackers can exploit on the same day it’s identified, leaving zero days of warning for the unaware, unsuspecting victims. In the case of Microsoft Word Zero-Day vulnerability, hackers knew about it since at least Nov 2016. Forensics have detected traces linked to attacks on Russian targets in addition to the mundane cybercriminal attacks that surfaced recently. A UK company that sells spyware systems to governments was named as the supplier, suggesting potentially state sponsored hacktivism in action.

The vulnerability affects almost every version of Microsoft Office out there. It was found in the Encapsulated PostScript (EPS), a graphics filter functionality. Victims were emailed a Word document that bypassed the standard warning about enabling macros. That server than sent a malicious payload, an RTF file disguised as a Word document to infect targeted systems. The external content was not accessed until users said OK to the standard warning about remote content. You can read more details in the Microsoft announcement of the security patch and their advice not to switch on that particular filter. The Sophos site describes the mechanics of the exploit. This article claims that three groups were exploiting the vulnerability prior to its discovery.

The Upsurge in State-Sponsored Hacktivism

State sponsored hacktivism is nothing new. Many observers believe that the Russian group Fancy Bear is attached to Russian military intelligence. The recent embarrassing public dumps of the NSA hacking tools appear to indicate a similar role for them. Some recent suspected state sponsored hacktivism targets included the UK Brexit referendum ad the US presidential election.

Governments are increasingly harnessing hired-in hacking skills as a weapon, both against internal dissidents and external states. It’s obvious why – low cost, very difficult to detect when done successfully, even more difficult to trace and next to impossible to find proof and pin blame with any degree of certainty. It’s also not thought of as being in the same destructive category as dropping bombs or invading countries. Russia and China have been in the headlines recently as prime suspects. No doubt western allies have been active too. The incidence will increase, not go away. Government funding attracts hacking groups to offer their services and the advantage is all too often with the attacker.

Will State Hacktivism Affect the Average Business?

Yes and no. It’s no secret that governments collect and store all digital phone calls, for example, and endeavor to do the same with email. Innocent personal communications are in the mix but it’s difficult to perceive any sense of threat for law abiding citizens. However, this touches on the great privacy debate and the balancing act between a state protecting its citizens and prying too deeply into personal lives. It is not going to go away.

The age-old advice about not opening email attachments still holds strong. If you’re not aware of the sender’s true identity, you must not click unsolicited links or download attachments no matter how innocent or attractive it may seem.

This attack depended on users ignoring the standard Microsoft warning that some content is on external servers. Users should pay heed to warnings like that, and stop to think for a moment before proceeding.

An anti-virus system with real-time scanning will detect and block many attacks, although not all.

You can find more advice here.